Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Privacy Awareness Week 2013 Privacy Commissioner's Update

Presentation by Timothy Pilgrim to Privacy Awareness Week 2013 Business Breakfast, 29 April 2013

Introduction

Thank you John, and thank you Attorney for spending time with us this morning.

It’s great to see you all here for the start of what promises to be our most successful Privacy Awareness Week to date. There is a significant amount of activity in the privacy field.

We are less than 10 months out from the most significant reforms of Australian privacy laws in their over 25 year history.

Every day the media reports on exciting new technologies that raise privacy questions. At the same time organisations are embracing privacy by design, not only as good privacy practice, but also a market differentiator. 

Individuals are increasingly enforcing their privacy rights. In 2011–12, the office received 1357 privacy complaints (an increase of 11% from the previous year). Not surprisingly, data security was one of the top four reasons for complaints against private sector organisations.

Information security is clearly a significant privacy issue and has emerged as major challenge for all us.  As technologies are evolving, so are the privacy risks. For example, there are more opportunities for hackers to compromise information security infrastructure. You will be familiar with last week’s AFP arrest of the leader of hacking group Lulzsec and the release under FOI of documents that showed the Australian Bureau of Statistics is regularly the target of cyber-attacks. These attacks won’t stop coming and personal information of Australians is constantly at risk.

This morning I want to talk to you about our new Guide to Information Security and how we plan to use it in our enforcement work in the future. I also want to look back at some of the own motion investigations that we have conducted that feature information security issues. I will then touch on the new requirements under Australian Privacy Principle 11 on the security of personal information. 

Guide to information security

Earlier this year we conducted a public consultation on the guide and received 25 submissions. Thank you to all of you who made a submission, your contributions were valuable and the guide has been finalised with these in mind.

The new Guide to Information Security  is intended to send a number of important messages:

  • First, we want to highlight the range of risks to the security of personal information, including mistaken release, loss and malicious hacking.
  • We want to remind business why good privacy practices make good business sense. And we want to promote a ‘privacy by design’ approach, something I know Stephen and Gary want to talk about today too.

One way to achieve ‘privacy by design’ is to conduct a Privacy Impact Assessment (or PIA). The OAIC strongly recommends all entities covered by the Privacy Act to undertake a PIA for any new business processes that involve the handling of personal information. From 12 March 2014 I will be able to require these of government agencies under the new laws.

‘Privacy by design’ is also the focus of Australian Privacy Principle 1 which requires entities to take reasonable steps to implement practices, procedures and systems to ensure compliance with the APPs. By complying with this APP you will be establishing a culture and processes in your organisation that will assist you to comply with all the other APPs.

You may have read the recent Australian Financial Review article on a ‘data breach insurance’. In my view, taking a privacy by design approach, including conducting PIAs and embedding best practice information handling procedures is the best ‘insurance’ your organisation can have against data breach.

Our Guide to Information Security can also help here. The last section of the Guide sets out various strategies to ensure appropriate safeguards are in place to protect personal information. I won’t go into each of these now as they are outlined in the Guide and one page summary in your information packs.

However, I did want to note that, while the guide is not binding, it sends a clear message about my expectations in this area, so naturally we intend to refer to it when assessing compliance with the data security obligations in the Privacy Act.

Investigations

All seven of the high profile own motion investigations I conducted in 2011–12 involved data security issues and I’ll just touch on a couple of these.

In June 2012, I completed an investigation into an incident involving the compromise of a technology company’s customer information via their email marketing service provider due to malware. In that instance the company was able to respond quickly and appropriately to the breach because they maintained good information security protocols and applied a number of international industry standards, something that is recommended in our Guide.

The company also conducted regular security training and had a comprehensive security policy reviewed and updated annually. All employees were required to sign a statement acknowledging they have read and agree to the security policy. And all employees and contractors were required to sign non-disclosure agreements.

Despite these measures, an employee inadvertently caused malware to be installed on the organisation's system. This was a sophisticated and malicious attack which required expert knowledge to execute. However, such an attack does not necessarily mean that the organisation has failed to take ‘reasonable steps' and I found that at the time incident the company had reasonable steps in place and met its obligations under the Privacy Act.

In contrast, around the same time I completed an investigation where an organisation’s customer information was deliberately ‘hacked’. Although the organisation responded promptly to the data breach, I found that the hack was made possible as a result of a vulnerability in the security of their data storage systems. The organisation had conducted over 200 security tests prior to the incident occurring. However, the testing involved only a sample of the organisation’s activity, and as a result, the area of the website containing the vulnerability was not tested. Because testing was limited, the vulnerability was not discovered until it had already been exploited. I therefore concluded that the company failed to have adequate security measures in place to protect the personal information it held.

Another high profile incident involved a customer management tool becoming publicly available on its website. In this case, it was revealed that a number of events led to the incident — from initial project planning through to roll out. Significantly, the first error was the incorrect categorisation of the project as one that did not involve the processing, storing or transferring of customer data. Therefore, a process with a strict set of security controls and oversight processes was not put into place.

We also found that the organisation had policies and procedures in place that, if followed, would have prevented the errors that led to the incident. However, documented policies and procedures alone do not demonstrate compliance with the Privacy Act if it cannot be shown that organisations are acting on them. On this basis, I found that the organisation did not have reasonable steps in place in compliance with the Privacy Act.

What these three incidents tell us is that it is essential to build privacy into business as usual practices and new projects from the very beginning, and that policies and procedures must be embedded into the culture of an organisation and acted on.

Of course, what constitutes ‘reasonable steps’ will always depend on the circumstances. When investigating a privacy breach I will always consider a number of factors. The Guide discusses all of these considerations in detail so I encourage you to refer to it.

APP 11

I now want to touch on the new APP 11 — security of personal information.

APP 11 will replace the existing IPP 4 and NPP 4 on data security. The obligations remain largely the same. However, under APP 11, an entity must now take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure.

The inclusion of ‘interference’ is new and recognises that attacks on personal information may not be limited to misuse or loss and may include interference that doesn’t amount to modification of the content or information. This new element may require additional measures to be taken to protect against computer attacks and other interferences of this nature, but the requirement is conditional on steps being ‘reasonable in the circumstances’.

The reforms and my enforcement approach

I do not have time to go through the various privacy reforms today. If you are not familiar with changes, I strongly encourage you to check out the privacy reform page and Privacy Awareness Week resources available on the OAIC website. I also encourage you to join the OAIC’s Privacy Connections network for private sector organisations and stay in touch with iappANZ—the industry association for privacy professionals.

However, I did want to note that from March 2014 I will have a range of new enforcement powers to ensure compliance with the Privacy Act. For example, I will be able to conduct Performance Assessments of private sector organisations. These assessments may be conducted at any time, so I am putting businesses on notice that they need to have their systems and processes in place to be ready at all times for a Performance Assessment.

I will also have new enforcement powers and remedies in regards to own motion investigations. I will be able to make a determination, accept written undertakings that will be enforceable through the courts, or apply for civil penalty orders of up to $340,000 for individuals and up to $1.7 million for companies.

I will not be taking a softly softly approach to these new powers. Let’s remember that the public sector have been working with the Privacy Act for nearly 25 years and the private sector for over 12 years, so these concepts are not new.

I would note that since I became Privacy Commissioner in mid-2010, I have been telling business and government that my focus will always be on resolving the majority of complaints via conciliation.

The business case

But I also want to emphasise that it is not all about the penalties. There is a very compelling business case to be made for privacy. As one senior privacy officer recently observed, it’s about the bigger question of how we create better privacy options for our customers. Further, if an organisation mishandles the personal information of its clients or customers, it risks the serious financial consequences associated with remediation, loss of trust and considerable harm to the organisation’s reputation, loss of customers and even serious impact on the organisation’s capacity to perform its core functions or activities. Recent research conducted in Australia indicates that 78% of Australians have refused to provide personal information online due to Privacy concerns, and a recent global survey reported in the Economist found that 66% of the 758 internet users surveyed said that the sometimes did not buy a product or service because of concerns about the security and privacy of their personal information.

The business case is simply that good privacy practice is good business practice.